Skip to content

feat: enforce IPSIE session_expiry ceiling on local session lifetime#1126

Open
yogeshchoudhary147 wants to merge 2 commits into
mainfrom
feat/ipsie-session-expiry
Open

feat: enforce IPSIE session_expiry ceiling on local session lifetime#1126
yogeshchoudhary147 wants to merge 2 commits into
mainfrom
feat/ipsie-session-expiry

Conversation

@yogeshchoudhary147

@yogeshchoudhary147 yogeshchoudhary147 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumps @auth0/auth0-spa-js to ^2.22.0 to pick up IPSIE session_expiry enforcement
  • Adds one unit test covering mid-session ceiling breach via getAccessTokenSilently
  • Adds Session Expiry from Upstream IdP (IPSIE) section to EXAMPLES.md

No provider code changes are needed. Enforcement is fully handled by auth0-spa-js. The React layer already propagates the undefined user/token responses into isAuthenticated: false state transitions. Routes wrapped with withAuthenticationRequired require no code changes; components calling getAccessTokenSilently() imperatively need an explicit null check (documented in EXAMPLES.md).

Test plan

  • All existing unit tests pass
  • New session_expiry ceiling (IPSIE SL1) test passes
  • Manual: deploy a Post-Login Action with api.idToken.setCustomClaim('session_expiry', Math.floor(Date.now() / 1000) + 120), log in, wait 2 minutes. The app should redirect to login without any code changes.

Summary by CodeRabbit

  • New Features

    • Added guidance for handling upstream identity provider session expiry, including how authentication state changes when the session limit is reached.
    • Documented the expected behavior for protected routes and token retrieval when access is no longer available.
  • Documentation

    • Expanded the examples guide with a new session-expiry walkthrough and upgrade notes for apps that assume users or tokens are always present after login.
  • Bug Fixes

    • Improved handling when silent token retrieval returns no value, ensuring auth state is cleared consistently.

@yogeshchoudhary147 yogeshchoudhary147 requested a review from a team as a code owner June 29, 2026 11:04
@yogeshchoudhary147 yogeshchoudhary147 force-pushed the feat/ipsie-session-expiry branch 2 times, most recently from 9d104e6 to 63added Compare June 29, 2026 11:13
@yogeshchoudhary147 yogeshchoudhary147 force-pushed the feat/ipsie-session-expiry branch from 63added to 6814d11 Compare June 29, 2026 13:16
Comment thread EXAMPLES.md Outdated
- `user` becomes `undefined`
- `getAccessTokenSilently()` returns `undefined` (no error thrown)

If your routes are wrapped with `withAuthenticationRequired`, no code changes are required — the state change triggers a redirect to login automatically. Components that call `getAccessTokenSilently()` imperatively (e.g. in a click handler or `useEffect`) need an explicit null check; see [Upgrading existing apps](#upgrading-existing-apps) below.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ceiling is only checked when something calls getAccessTokenSilently, getUser, or getIdTokenClaims again , there's no timer or background re-check in the provider, and isAuthenticated only changes when one of those runs and re-reads the user. So a user sitting on an already-rendered protected page past the ceiling stays authenticated until the next such call; the withAuthenticationRequired redirect fires off the isAuthenticated change, which won't happen on a passive page.

Could we soften "reflects the expired state on the next render" and "automatically" here so it reads as "on the next token/user call" rather than real-time? Otherwise it sets an expectation the SDK doesn't hold.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch — updated. Changed "on the next render" to "on the next call to getAccessTokenSilently, getUser, or getIdTokenClaims" and added a note that a passive page won't trigger the state change. Dropped "automatically" from the withAuthenticationRequired description too.

Comment thread EXAMPLES.md
Comment thread EXAMPLES.md
Comment thread EXAMPLES.md
Comment thread __tests__/auth-provider.test.tsx Outdated
});

describe('session_expiry ceiling (IPSIE SL1)', () => {
it('should return undefined and clear auth state when session ceiling is breached during getAccessTokenSilently', async () => {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I doesn't mock a token call actually happened ,a regression that short-circuits before calling getTokenSilently would still pass. It also doesn't exercise the ceiling itself, since enforcement lives in the underlying SDK.

Can we add an expect(clientMock.getTokenSilently).toHaveBeenCalled() and rename the test to say that, rather than "session_expiry ceiling" which implies it tests detection?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair — renamed the describe/it away from "ceiling" since we're not testing detection (that's spa-js's job), and added expect(clientMock.getTokenSilently).toHaveBeenCalled().

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR bumps the @auth0/auth0-spa-js dependency to ^2.22.0, adds a test verifying that getAccessTokenSilently() returns undefined and clears auth state when the underlying token retrieval resolves to undefined, and adds documentation in EXAMPLES.md describing session expiry behavior from upstream IdPs.

Changes

Session Expiry Support

Layer / File(s) Summary
Dependency update and test coverage
package.json, __tests__/auth-provider.test.tsx
Bumps @auth0/auth0-spa-js to ^2.22.0 and adds a test case confirming getAccessTokenSilently() returns undefined and clears isAuthenticated, user, and error when getTokenSilently resolves to undefined.
Session expiry documentation
EXAMPLES.md
Adds a table-of-contents entry and a new "Session Expiry from Upstream IdP (IPSIE)" section explaining the session_expiry claim, Post-Login Action setup, resulting SDK behavior, and app upgrade guidance.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: enforcing IPSIE session_expiry on local session lifetime.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/ipsie-session-expiry

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
EXAMPLES.md (1)

1623-1623: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Minor redundancy flagged by static analysis.

"this point in time" — consider trimming to "this point" or "this time".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@EXAMPLES.md` at line 1623, The sentence in EXAMPLES.md contains a small
redundancy in the `session_expiry` description. Update the text in the relevant
enterprise connection explanation to trim “this point in time” to a shorter
phrasing like “this point” or “this time,” keeping the meaning unchanged and
preserving the surrounding `id_token_session_expiry_supported` and
`session_expiry` context.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@EXAMPLES.md`:
- Line 1623: The sentence in EXAMPLES.md contains a small redundancy in the
`session_expiry` description. Update the text in the relevant enterprise
connection explanation to trim “this point in time” to a shorter phrasing like
“this point” or “this time,” keeping the meaning unchanged and preserving the
surrounding `id_token_session_expiry_supported` and `session_expiry` context.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 4c526e11-06d3-4592-b4eb-cd7390fcdef7

📥 Commits

Reviewing files that changed from the base of the PR and between c899362 and 06c5a16.

📒 Files selected for processing (3)
  • EXAMPLES.md
  • __tests__/auth-provider.test.tsx
  • package.json

@kishore7snehil kishore7snehil left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants